registry  /  @skylence-ai/skyline  /  1.0.56

@skylence-ai/skyline@1.0.56

Content-hash line editor — CLI and MCP server

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The npm postinstall hook automatically invokes skyline setup through a platform binary. Documented setup installs a supervised autostart MCP/HTTP daemon and agent CLI plugins, creating persistent AI-agent control-surface wiring during package installation.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install when lifecycle scripts run
Impact
Unconsented install-time persistence and AI-agent/MCP control-surface registration in the consumer environment.
Mechanism
postinstall launches platform binary setup
Policy narrative
On install, package.json runs postinstall.js. That script spawns the package CLI with setup, which bin.js delegates to an installed platform binary. The package README documents that setup installs a supervised autostart HTTP daemon and best-effort agent CLI plugins, exposing an MCP endpoint for AI clients. This is lifecycle-triggered mutation of persistent AI-agent control surfaces rather than a purely user-invoked setup flow.
Rationale
Static inspection confirms install-time execution of setup and package documentation states that setup creates a supervised daemon plus agent plugins. Under the provided policy, unconsented lifecycle delivery into broad AI-agent control surfaces is blockable even when product-aligned.
Evidence
package.jsonpostinstall.jsbin.jsREADME.md
Network endpoints2
127.0.0.1:7333/mcp127.0.0.1:<free-port>/mcp

Decision evidence

public snapshot
AI called this Malicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js runs bin.js with setup during npm lifecycle unless CI or SKYLINE_NO_AUTO_SETUP is set
  • bin.js resolves and spawnSyncs a platform optional dependency binary with inherited stdio
  • README.md says skyline setup installs a supervised autostart HTTP daemon on port 7333
  • README.md says setup best-effort installs Skyline marketplace plugins for agent CLIs already on PATH
  • README.md instructs agent MCP/plugin wiring to 127.0.0.1:<port>/mcp
Evidence against
  • No credential harvesting or exfiltration code is present in the JS wrapper files
  • No network fetch code appears in package JS sources
  • Lifecycle hook is documented as best-effort and can be skipped with CI or SKYLINE_NO_AUTO_SETUP
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.05 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin.jsView file
matchType = malicious_source_fingerprint_signature signature = 202b3dfd3937dab6 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @skylence-ai/skyline@1.0.55 matchedPath = bin.js matchedIdentity = npm:QHNreWxlbmNlLWFpL3NreWxpbmU:1.0.55 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin.jsView on unpkg

Findings

2 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Fingerprint Signaturebin.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present